Law360, New York (December 12, 2016, 11:11 PM EST) — A novel lawsuit unsealed Friday alleging a Chicago firm committed malpractice through shoddy cybersecurity presages more allegations by clients focused on confidential data held by their lawyers, experts say, even as a dearth of hard evidence of firm hacks will make most claims tough to make stick in court.
While the final outcome of the suit against Johnson & Bell Ltd. will likely remain under wraps — the parties are now in a confidential arbitration — the action may be a kind of test case for future BigLaw clients looking for leverage over firms they feel carelessly expose confidential data to hackers.
“It’s going to continue to be hard to show causation and damages in law firm breaches, but don’t forget that in most jurisdictions, causation and damages are questions of fact and not law that will be decided by a jury,” said legal ethics expert Eli Wald of the University of Denver’s Sturm College of Law.
“If a plaintiff like this can survive a motion to dismiss and the case heads to a trial, you can see how quite a few firms are going to want to settle because they don’t want to be the poster child for bad cybersecurity,” he said.
On Friday, an Illinois federal court unsealed a proposed class action filed in April against Johnson & Bell, a 100-lawyer trial firm with offices in Illinois and Indiana.
The case was filed by bitcoin-to-gold exchange Coinabul LLC and operator Jason Shore, whom the firm defended in 2014 and 2015 in a case brought by one of the company’s customers.
The plaintiffs alleged the firm’s file and online systems were rife with “critical vulnerabilities” primed for hackers, even as Johnson & Bell presented itself publicly as a cybersecurity expert.
The complaint, which includes claims for breach of contract, negligence and breach of fiduciary duty, does not point to any specific data breach or loss of confidential information suffered by Coinabul. Instead, it focuses on a broader alleged failure to reasonably protect sensitive client data, particularly through an online attorney time-tracking system and the use of a virtual private network, or VPN.
“Johnson & Bell has injured its clients by charging and collecting market-rate attorneys’ fees without providing industry standard protections for client confidentiality,” according to the complaint.
Notably, the suit also refers to newly strengthened professional conduct rules on client confidentiality and electronically stored data. Following ABA Model Rule changes since 2012, some of the changes were adopted in Illinois last year and went into effect in January.
The firm’s May motion to dismiss, also unsealed Friday, argues that Coinabul has no standing because it cannot point to a concrete injury. The firm also notes that the plaintiff’s counsel at class action and privacy firm Edelson PC also represented a former Coinabul client who sued the company and Shore, saying he’d been ripped off in several bitcoin-gold transactions.
After a Johnson & Bell team withdrew from the defense case — the firm cited communication breakdowns with its client and other unspecified problems — Coinabul and Shore were hit last year with a $1.5 million default judgment.
The Coinabul complaint prepared by Edelson lawyers “is littered with ‘if’s’ and ‘could-be’s,’ and references nothing more than a possibility of harm at some possible time in the unknown future,” according to the defense motion.
The case was dismissed at the plaintiffs’ request in May, according to Johnson & Bell counsel Michael Bruck of Williams Montgomery & John Ltd.
Bruck confirmed that the claims had been moved into a confidential arbitration under the terms of a firm engagement letter, and that the result of those proceedings would in all likelihood remain confidential.
“J&B was never hacked, and the suit was based entirely on so-called vulnerabilities, and how do you evaluate that?” he said. He declined to comment further.
Ethics and cybersecurity experts said the lack of hard evidence in the Johnson & Bell complaint mirrors a broader issue for understanding the BigLaw cybersecurity threat.
Over the last several years, a chorus of experts at the FBI and elsewhere have pointed to major law firms as a point of vulnerability for hackers who see a “back door” to sensitive corporate information.
But reported instances of hacks have been rare, with many technology specialists saying the problem is likely bigger than the industry realizes because many online attacks go undetected. Other attacks are spotted but are not well-understood, with the extent or source of a breach difficult or impossible to determine.
“It’s largely anecdotal evidence you hear about … and no one has any kind of systematic study” of law firm cyberattacks, said Stephen Wu of Silicon Valley Law Group, whose practice focuses on information security and privacy.
In the most high-profile attack, a massive trove of data from Panamanian law firm Mossack Fonseca was made public by way of a breached email server, with serious political and business fallout in a number of countries.
Earlier this year, the FBI and federal prosecutors with the Southern District of New York reportedly launched an investigation to determine if Cravath Swaine & Moore LLP, Weil Gotshal & Manges LLP and others were hit by hackers targeting insider information on publicly traded companies.
Last year, California firm Ziprick & Cramer LLP reported that it had been the victim of a “ransomware” attack in which unknown hackers attempted to hold data for ransom, according to a notice recently filed with the California attorney general’s office.
While a Monday report from cybersecurity firm BitSight Technologies indicated that law firms are making progress in protecting client data, the report and others like it have offered little in the way of hard data.
Wu and others said, despite the lack of information, the threat is real, even if firms are reluctant to admit they know — or don’t know enough — about online attacks.
“I won’t say never, but successful suits over law firm breaches are going to be rare,” said Wu, who cited a dearth of public information on firm attacks and the difficulty clients face in drawing a line between a cyberattack and damages as limitations on such lawsuits.
The incentives for a client or a plaintiffs firm to sue a single law firm, even a large one with deep pockets, are also problematic, he argued.
“You would have to have e-discovery, an investigation, experts — you’d need access to systems and know what you’re looking for, so these would be expensive cases to file,” he said. Unless it’s a very large breach with verifiable damages or a firm with many clients who suffered the same loss of confidentiality, “it just doesn’t make a lot of economic sense.”
Wald, who has called for mandated client disclosures of attacks and other cyber-rule tightening, said the Edelson firm and like-minded lawyers were likely taking the long view that, as stricter conduct guidelines are adopted around electronic data, courts will move toward a stricter view of liability of firms with less-than-stellar security practices. He also noted that the spread of cyberattack insurance “might be a deep pocket” for malpractice claims to target in the event of a known cyberattack.
“Questions of causation and damages will remain complex, but what I believe will happen is that the new conduct rules will help plaintiffs establish a breach of the duty of care when a law firm fails to protect clients’ data with reasonable care,” he said.
A message left Monday for plaintiffs counsel Jay Edelson was not returned.
The plaintiffs are represented by Jay Edelson, Amir Missaghi, Benjamin Richman, Benjamin Thomassen, and Rafey Balabanian of Edelson PC.
Johnson & Bell is represented by Michael Bruck of Williams Montgomery & John Ltd.
The case is Shore et al. v. Johnson & Bell Ltd., case number 1:16-cv-04363, in the U.S. District Court for the Northern District of Illinois.